2.2.30 Ensure NFS is configured to use RPCSEC_GSS.

Information

The operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.

Rationale:

When an NFS server is configured to use RPCSEC_SYS, a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The RPCSEC_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request.

Solution

Update the /etc/fstab file so the option sec is defined for each NFS mounted file system and the sec option does not have the sys setting.
Example: vim /etc/fstab
Ensure the sec option is defined as krb5:krb5i:krb5p.

192.168.21.5:/mnt/export /data1 nfs4 rw,sync ,soft,sec=krb5:krb5i:krb5p

Notes:

This Benchmark recommendation maps to:

Red Hat Enterprise Linux 7 Security Technical Implementation Guide:

Version 2, Release: 3 Benchmark Date: 26 Apr 2019



Vul ID: V-72311

Rule ID: SV-86935r4_rule

STIG ID: RHEL-07-040750

Severity: CAT II

See Also

https://workbench.cisecurity.org/files/2688

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-4, CSCv7|9.2

Plugin: Unix

Control ID: 319c0d46a04e41f34e6e15fcfb6db83639ad724a0cca26944c064537e099082a